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[0001] 



This application is related to Application Serial Number 



/ , , entitled "Processor Supporting Execution Of An Authenticated 



"Authenticated Code Module" both filed on the same date as the present 
application. 

10 BACKGROUND 



perform various operations. The code may be in the form of user applications, 
BIOS routines, operating system routines, etc. Some operating systems provide 
limited protections for maintaining the integrity of the computing device against 

1 5 rogue code. For example, an administrator may limit users or groups of users to 
executing certain pre-approved code. Further, an administrator may configure a 
sandbox or an isolated environment in which untrusted code may be executed 
until the administrator deems the code trustworthy. While the above techniques 
provide some protection, they generally require an administrator to manually 

20 make a trust determination based upon the provider of the code, historic 
perfonnance of the code, and/or review of the source code itself. 
[0003] Other mechanisms have also been introduced to provide automated 
mechanisms for making a tmst decision. For example, an entity (e.g. software 
manufacturer) may provide the code with a certificate such as a X.509 certificate 



Code Instruction"; and Application Serial Number l_ 



entitled 



[0002] 



Computing devices execute firmware and/or software code to 



1 
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that digitally signs the code and attests to the integrity of the code. An 
administrator may configure an operating system to automatically allow users to 
execute code that provides a certificate from a trusted entity without the 
administrator specifically analyzing the code in question. While the above 
5 technique may be sufficient for some environments, the above technique 
inherently trusts the operating system or other software executing under the 
control of the operating system to con-ectly process the certificate. 
[0004] Certain operations, however, may not be able to tmst the operating 
system to make such a determination. For example, the code to be executed 

10 may result in the computing device determining whether the operating system is 
to be trusted. Relying on the operating system to authenticate such code would 
thwart the purpose of the code. Further, the code to be executed may comprise 
system initialization code that is executed prior to the operating system of the 
computing device. Such code therefore cannot be authenticated by the operating 

15 system. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0005] The invention described herein is illustrated by way of example and 
not by way of limitation in the accompanying figures. For simplicity and clarity of 
illustration, elements illustrated in the figures are not necessarily drawn to scale. 
20 For example, the dimensions of some elements may be exaggerated relative to 
other elements for clarity. Further, where considered appropriate, reference 
numerals have been repeated among the figures to indicate corresponding or 
analogous elements. 

2 
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[0006] FIGS. 1 A-1 E illustrate example embodiments of a computing device 
having private memory. 

[0007] FIG. 2 illustrates an example authenticated code (AC) module that 
may launched by the computing device shown in FIGS. 1A-1E. 
5 [OOOQ FIG. 3 illustrates an example embodiment of the processor of the 
computing device shown in FIGS. 1A-1E. 

[0009] FIG. 4 illustrates an example method of launching the AC module 
shown in FIG. 2. 

[001 0] FIG. 5 illustrates an example method of terminating execution of the 
10 AC module shown in FIG. 2. 

[001 1] FIG. 6 illustrates another embodiment of the computing device 
shown in FIGS. 1A-1E. 

[0012] FIGS. 7A-7B illustrate example methods of launching and 
temiinating execution of the AC module shown in FIG. 2. 
15 [0013] FIG. 8 illustrates a system for simulating, emulating, and/or testing 
the processors of flie computing de>^ces shown in FIGS. 1A-1E. 

DETAILED DESCRIPTION 

[0014] The following description describes techniques for launching and 
temiinating execution of authenticated code (AC) modules that may be used for 
20 various operations such as establishing and/or maintaining a trusted computing 
environment In the following description, numerous specific details such as logic 
implementations, opcodes, means to specify operands, resource 
partitioning/sharing/duplication implementations, types and interrelationships of 
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system components, and logic partitioning/integration choices are set forth In 
order to provide a more thorough understanding of the present invention. It will 
be appreciated, however, by one skilled in the art that the invention may be 
practiced without such specific details. In other instances, control structures, gate 
5 level circuits and full software instruction sequences have not been shown in 
detail in order not to obscure the invention. Those of ordinary skill in the art. with 
the included descriptions, will be able to implement appropriate functionality 
without undue experimentation. 

[0015] References in the specification to "one embodiment", "an 
10 embodimenf , "an example embodimenf , etc., indicate that the embodiment 
described may include a particular feature, structure, or characteristic, but every, 
embodiment may not necessarily include the particular feature, structure, or 
characteristic. Moreover, such phrases are not necessarily refemng to tiie same 
embodiment. Further, when a particular feature, structure, or characteristic is 
1 5 described in connection with an embodiment, it is submitted that it is wtiiin the 
knowledge of one skilled in tiie art to effect such feature, structure, or 
characteristic in connection wifli otiier embodiments whether or not expKdtiy 
described. 

[0016] in tiie following description and claims, tiie terms "coupled" and 
20 "connected." along with ttieir derivatives, rnay be used. It should be understood 
tiiat tiiese terms are not intended as synonyms for each otiier. Rather, in 
particular embodiments, "connected" may be used to indicate tiiat two or more 
elements are in direct physical or electrical contact with each otiier. "Coupled" 
may mean tiiat two or more elements are in direct physical or electrical contact 
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However, 'coupled" may also mean that two or more elements are not In direct 
contact with each other, but yet still co-operate or interact with each other. 
[001 71 Example embodiments of a computing device 1 00 are shown in FIG. 
1 A-1 E. The computing device 100 may comprise one or more processors 1 10 
5 coupled to a chipset 120 via a processor bus 130. The chipset 120 may comprise 
one or more integrated circuit pacl^ages or chips that couple the prooessdrs 110 
to system memory 140, a physical token 150, private memory 160. a media 
interface 170, and/or other I/O devices of the computing device 100. 
[0018] Each processor 1 10 may be implemented as a single integrated 
10 circuit, multiple integrated circuits, or hardware with software routines (e.g., binary 
translation routines). Further, the processors 110 may comprise cache memories 
1 1 2 and control registers 1 14 via which the cache memories 1 12 may be 
configured to operate in a nonnal cache mode or in a cache-as-RAM mode. In 
the nomial cache mode, the cache memories 112 satisfy memory requests In 
15 response to cache hits, replace cache lines in response to cache misses, and 
may invalidate or replace cache lines in response to snoop requests of the 
processor bus 130. In the cache-as-RAM mode, the cache memories 112 
operate as random access memory in which requests within the memory range of 
the cache memories 1 12 are satisfied by the cache memories and lines of the 
20 cache are not replaced or invafidated In response to snoop requests of the 
processor bus 130. 

[001 91 The processors 1 1 0 may further comprise a key 1 1 6 such as. for 
example, a key of a symmetric cryptographic algorithm (e.g. the well known DES, 
3DES, and AES algorithms) or of an asymmetric cryptographic algorithm (e.g. the 
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well-known RSA algorithm). The processor 110 may use the key 116 to authentic 
an AC module 190 prior to executing the AC module 190. 
[0020] The processors 110 may support one or more operating modes 
such as, for example, a real mode, a protected mode, a virtual real mode, and a 
6 virtual machine mode (VMX mode). Further, the processors 110 may support one 
or more privilege levels or rings in each of the supported operating modes. In 
general, the operating modes and privilege levels of a processor 110 define the 
instmctions available for execution and the effect of executing such Instmctions. 
More specifically, a processor 110 may be pennitted to execute certain privileged 
10 instnjctions only if the processor 1 10 is in an appropriate mode and/or privilege 
level. 

[0021] The processors 110 may also support locking of the processor bus 
130. As a result of locking the processor bus 130, a processor 110 obtains 
exclusive ownership of tiie processor bus 130. The otiier processors 110 and the 

15 chipset 120 may not obtain ownership of the processor bus 130 until the 

processor bus 130 is released. In an example embodiment, a processor 1 10 may 
issue a special transaction on the processor bus 130 that provides the other 
processors 110 and the chipset 120 with a LT.PROCESSOR.HOLD message. 
The LT.PROCESSOR.HOLD bus message prevents the otiier processors 110 

20 and the chipset 120 from acquiring ownership of ttie processor bus 130 until ttie 
processor 110 releases ttie processor bus 130 via a LT.PRCX;ESS0R.RELEASE 
bus message. 

[0022] The processors 110 may however support alternative and/or 
additional methods of locking tiie processor bus 130. For example, a processor 

6 
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110 may inform the other processors 1 10 and/or the chipset 120 of the lock 
condition by issuing an Inter-Processor Intenvpt, asserting a processor bus lock 
signal, asserting a processor bus request signal, and/or causing the other 
processors 1 1 0 to halt execution. Similarly, the processor 1 1 0 may release the 

5 processor bus 1 30 by issuing an Inter-Processor Intenupt. deasserting a 
processor bus lock signal, deasserting a processor bus request signal, and/or 
causing the other processors 110 to resume execution. 
[0023] The processors 110 may further support launching AC modules 1 90 
and tenninating execution of AC modules 190. In an example embodiment, the 

1 0 processors 110 support execution of an ENTERAC instruction that loads, 

authenticates, and initiates execution of an AC module 190 from private memory 
160. However, the processors 110 may support additional or different instructions 
that cause the processors 1 10 to load, authenticate, and/or initiate execution of 
an AC module 190. These other instructions may be variants for launching AC 

1 5 modules 1 90 or may be concerned with other operations that launch AC modules 
190 to help accomplish a larger task. Unless denoted othenwise. the ENTERAC 
instruction and these otiier instructions are refen-ed to hereafter as launch AC 
instructions despite ttie fact tiiat some of these instructions may load, 
authenticate, and launch an AC module 190 as a side effect of anotiier operation 

20 such as, for example, establishing a trusted computing environment 

[0024] In an example embodiment, tiie processors 110 furttier support 
execution of an EXITAC instruction that terminates execution of an AC module 
190 and initiates post-AC code (See, FIG. 6). However, tiie processors 1 10 may 
support additional or different Instructions tiiat result In flie processors 110 

7 
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terminating an AC module 190 and launching post-AC code. These other 
instructions may be variants of the EXITAC instruction for temiinating AC 
modules 190 or may be instructions concemed primarily with other operations that 
result in AC modules 190 being terminated as part of a larger operation. Unless 
5 denoted otherwise, the EXITAC instruction and these other instructions are 
referred to hereafter as temiinate AC instructions despite the fact that some of 
these instmctions may terminate AC modules 190 and launch post-AC code as a 
side effect of another operation such as, for example, tearing down a tmsted 
computing environment. 

10 [0025] The chipset 120 may comprise a memory controller 122 for 

controlling access to the memory 140. Further, the chipset 120 may comprise a 
key 124 that the processor 110 may use to authentic an AC module 190 prior to 
execution. Similar to the key 1 1 6 of the processor 1 1 0, the key 1 24 may 
comprise a key of a symmetric or asymmetric cryptographic algorithm. 

15 [0026] The chipset 120 may also comprise trusted platfomi registers 126 to 
control and provide status infonmation about trusted platform features of the 
chipset 120. In an example embodiment the chipset 120 maps the trusted 
platfomi registers 126 to a private space 142 and/or a public space 144 of the 
memory 140 to enable the processors 110 to access the trusted platfonm registers 

20 1 26 in a consistent manner. 

[0027] For example, the chipset 120 may map a subset of the registers 1 26 
as read only locations in the public space 144 and may map the registers 126 as 
read/write locations in the private space 142. The chipset 120 may configure the 
private space 142 in a manner that enables only processors 110 in the most 

a 
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privileged mode to access its mapped registers 126 with privileged read and write 
transactions. ' Further, the chipset 120 may further configure the public space 144 
in a manner that enables processors 110 in all privilege modes to access its 
mapped registers 126 with normal read and' write transactions. The chipset 120 
5 may also open the private space 142 in response to an OpenPrivate command 
being written to a command register 126. As a result of opening the private space 
142. the processors 110 may access the private space 142 in the same manner 
as the public space 144 with normal unprivileged read and write transactions. 
10028] The physical token 150 of the computing device 100 comprises 

1 0 protected storage for recording integrity metrics and storing secrets such as, for 
example, encryption keys. The physical token 150 may perform various integrity 
functions in response to requests from the processors 110 and the chipset 120. 
In particular, the physical token 150 may store integrity metrics in a trusted 
manner, may quote integrity metrics in a trusted manner, may seal secrets such 

15 as encryption keys to a particular environment, and may only unseal secrets to 
the environment to which they were sealed. Hereinafter, the tern "platform key* 
is used to refer to a key that is sealed to a particular hardware and/or software 
environment. The physical token 150 may be implemented in a number of 
different manners. However, in an example embodiment, the physical token 150 

20 is implemented to comply with the specification of the Trusted Platfonm Module 
(TPM) described in detail in the Taisted Computing Platform Alliance (TCPA) 
Main Specification. Version 1.1,31 July 2001 . 

[0029] The private memory 160 may store an AC module 190 in a manner 
that allows the processor or processors 110 that are to execute the AC module 
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190 to access the AC module 190 and that prevents other processors 110 and 
components of the computing device 100 from altering the AC module 190 or 
interfering with the execution of the AC module 190. As shown In FIG. 1A. the 
private memory 160 may be implemented with the cache memory 1 12 of the 

5 processor 1 10 that is executing the launch AC instruction. Alternatively, flie 
private memory 160 may be implemented as a memory area internal to thfe 
processor 110 that is separate from its cache memory 1 12 as shown in FIG. 1 B. . 
The private memory 160 may also be implemented as a separate external 
memory coupled to the processors 110 via a separate dedicated bus as shown in 

10 FIG. 1 C, thus enabling only the processors 1 1 0 having associated extemal 
memories to validly execute launch AC instructions. 
[0030] The private memory 160 may also be implemented via the system 
memory 140. In such an embodiment, the chipset 120 and/or processors 110 
may define certain regions of the memory 140 as private memory 160 (see FIG. 

15 ID) that may be restricted to a specific processor 1 1 0 and that may only be 
accessed by the specific processor 1 10 when in a particular operating mode. 
One disadvantage of this implementation is that the processor 110 relies on the 
memory controller 122 of the chipset 120 to access the private memory 160 and 
the AC module 190. Accordingly, an AC module 190 may not be able to 

20 reconfigure the memory controller 122 without denying the processor 110 access 
to the AC module 190 and thus causing the processor 110 to abort execution of 
theACmodute190. 

[0031] The private memory 160 may also be Implemented as a separate 
memory coupled to a separate private memory controller 128 of the chipset 120 

10 
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as shown in FIG. 1E. In such an embodiment, the private memory controller 128 
may provide a Separate interface to the private memory 160. As a result of a 
separate private memory controller 128, the processor 110 may be able to 
reconfigure the memory controller 122 for the system memory 140 in a manner 
5 that ensures that the processor 1 10 will be able to access the private memory 160 
and the AC module 190. In general, the separate private memory controller 128 
overcomes some disadvantages of the embodiment shown in FIG. 1D at the 
expense of an additional memory and memory controller. 
[0032] The AC module 190 may be provided In any of a variety of machine 

10 readable mediums 180. The media interface 170 provides an interface to a 
machine readable medium 180 and AC module 190. The machine readable 
medium 180 may comprise any medium that can store, at least temporarily, 
infonnation for reading by the machine interface 170. This may include signal 
transmissions (via wire, optics, or air as the medium) and/or physical storage 

1 5 media such as various types of disk and memory storage devices. 

[0033] Refening now to FIG. 2, an exarnple embodiment of the AC module 
190 is shown in more detail. The AC module 190 may comprise code 210 and 
data 220. The code 210 comprises one or more code pages 212 and the data 
220 comprises one or more data pages 222. Each code page 212 and data page 

20 222 in an example embodiment conresponds to a 4 kilobyte contiguous memory 
region; however, the code 210 and data 220 may be implemented with different 
page sizes or in a non-paging manner. The code pages 212 comprise processor 
instmctions to be executed by one or more processors 1 10 and the data pages 
222 comprise data to be accessed by one or more processors 1 10 and/or scratch 

11 
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pad for storing data generated by one or more processbrs 110 in response to 
executing instructions of the code pages 212. 

[0034] The AC module 1 90 may further comprise one or more headers 230 
that may be part of the code 21 0 or the data 220. The headers 230 may provide 
5 infomnation about the AC module 190 such as, for example, module author, 

copyright notice, module version, module execution point location, modute length, 
authentication method, etc. The AC module 190 may further comprise a 
signature 240 which may be a part of the code 210. data 220. and/or headers 
230. The signature 240 may provide infonnation about the AC module 190, 
10 authentication entity, authentication message, authentication method, and/or 
digest value. 

[003S] The AC module 190 may also comprise an end of module marker 
250. The end of module marker 250 specifies the end of the AC module 190 and 
may be used as an altemative to specifying the length of the AC module 190. For 

15 example, the code pages 212 and data pages 222 may be specified in a 
contiguous manner and the end of module marker 250 may comprise a 
predefined bit pattem that signals the end of the code pages 212 and data pages 
222. It should be appreciated that the AC module 190 may specify its length 
and/or end in a number of different manners. For example, the header 230 may 

20 specify the number of bytes or the number of pages the AC module 1 90 contains. 
Altematively. launch AC and temiinate AC instructions may expect the AC module 
190 be a predefined number of bytes in length or contain a predefined number of 
pages. Further, launch AC and temiinate AC instructions may comprise 
operands that specify the length of the AC module 1 90. 

12 
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[0036] it should be appreciated that the AC module 190 may reside In a 
contiguous region of the memory 140 that is contiguous in- the physical memory 
space or that Is contiguous In virtual memory space. Whether physically or 
virtually contiguous, the locations of the memdry 140 that store the AC module 
190 may be specified by a starting location and a length and/or end of module 
marker 250 may specify. Alternatively, the AC module 190 may be stored In 
memory 140 in neither a physically or a virtually contiguous manner. For 
example, the AC module 190 may be stored in a data structure such as. for 
example, a linked list that pennits the computing device 100 to store and retrieve 
the AC module 190 from the memory 140 in a non-contiguous manner. 
[0037] As will be discussed in more detail below, the example processors 
110 support launch AC instaictions that load the AC module 190 into private 
memory 160 and initiate execution of the AC module 190 fi'om an execution point 
260. An AC module 190 to be launched by such a launch AC Instruction may 
comprise code 210 which when loaded into the private memory 1 60 places the 
execution point 260 at a location specified one or more operands of a launch AC 
instnjction. Alternatively, a launch AC instruction may result in the processor 110 
obtaining the location of the execution point 260 from the AC module 190 Itself. 
For example, the code 210, data 220, a header 230, and/or signature 240 may 
comprise one or more fiekJs that specify the location of the e)ecution point 260. 
[0039] As will be discussed in more detail below, the example processors 
1 1 0 support launch AC instructions that authenticated the AC module 1 90 prior to 
execution. Accordingly, the AC module 190 may comprise Information to support 
authenticify determinations by the processors 110. For example, the signature 

13 
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240 may comprise a digest value 242. The digest value 242 may be generated 
by passing the AC module 190 through a hashing algorithm (e.g. SHA-1 or MD5) 
or some other algorithm. The signature 240 may also be encrypted to prevent 
alteration of the digest value 242 via an encryption algorithm (e.g. DES, 3DES, 

5 AES, and/or RSA algorithms). In example embodiment, the signature 240 is 
RSA-encrypted vwith the private key that corresponds to a public key of the 
processor key 1 16, the chipset key 120. and/or platform key 152. 
[0039] It should be appreciated that the AC module 1 90 may be 
authenticated via other mechanisms. For example, the AC module 190 may 

1 0 utilize different hashing algorithms or different encryption algorithms. Further, the 
AC module 190 may comprise infonfnation in the code 210, data 220, headers 
230, and/or signature 240 that Indicate which algorithms were used. The AC 
module 190 may also be protected by encrypting the whole AC module 190 for 
decryption via a symmetric or asymmetric key of the processor key 116, chipset 

15 key 124, or platform key 152. 

[00401 An example embodiment of the processor 1 1 0 is illustrated In more 
detail in FIG. 3. As depicted, the processor 110 may comprise a front end 302, a 
register file 306, one or more execution units 370, and a retirement unit or back 
end 380. The front end 302 comprises a processor bus interface 304, a fetching 

20 unit 330 having Instruction and instmction pointer registers 314. 31 6, a decoder 
340, an instruction queue 350, and one or more cache memories 360. The 
register file 306 comprises general purpose registers 312, status/control reglsteis 
318, and other registers 320. The fetching unit 330 fetches tiie instmctions 
specified by the instruction pointer registers 316 from the memory 140 via tiie 

14 
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processor bus interface 304 or the cache memories 360 and stores the fetched 
instmctions in the instruction registers 314. 

[00411 An instmction register 314 may contain more than one instruction. 
According, the decoder 340 identifies the instructions in the instmction registers 

5 314 and places the identified instmctions in the instmction queue 350 in a fomi 
suitable for execution. For example, the decoder 340 may generate and store 
one or more micro-operations (uops) for each identified instmction in the 
instiuction queue 350. Alternatively, the decoder 340 may generate and store a 
single macro-operation (Mop) for each identified instmction in ttie instmction 

10 queue 350. Unless indicated otiienwise ttie term ops is used hereafter to refer to 
botii uops and Mops. 

[0042] The processor 1 1 0 further comprises one or more execution units 
370 ttiat perfonn ttie operations dictated by the ops of tiie instiojction queue 350. 
For example, tiie execution units 370 may comprise hashing units, decryption 

1 5 units, and/or microcode units tiiat implement authentication operations tiiat may 
be used to autiienticate ttie AC module 190. The execution units 370 may 
perfomi in-order execution of tiie ops stored in tiie instiuction queue 350. 
However, in an example embodiment, tiie processor 110 supports out-of-order 
execution of ops by tiie execution units 370. In such an embodiment, tiie 

20 processor 1 1 0 may furtiier comprise a retirement unit 380 tiiat removes ops from 
the instmction queue 350 in-order and commits tiie results of executing the ops to 
one or more registers 312, 314, 316, 318. 320 to insure proper in-order results. 
[0043] The decoder 340 may generate one or more ops for an Identified 
launch AC instmction and tiie execution units 370 may load, autiientocate. and/or 

15 
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initiate execution of an AC module 190 in response to executing the associated 
ops. Further, the decoder 340 may generate one or more ops for an identified 
terminate AC instruction and the execution units 370 may temilnate execution of 
an AC module 190. adjust security aspects of the computing device 100, and/or 
5 initiate execution of post-AC code in response to executing the associated ops. 
[0044] In particular, the decoder 340 may generate one or more ops that 
depend on the launch AC instruction and the zero or more operands associated 
with the launch AC instruction. Each launch AC instruction and its associated 
operands specify parameters for launching the AC module 190. For example, the 

10 launch AC instruction and/or operands may specify parameters about the AC 
module 190 such as AC module location, AC module length, and/or AC module 
execution point. The launch AC instruction and/or operands may also specify 
parameters about the private memory 160 such as, for example, private memory 
location, private memory length, and/or private memory implementation. The 

1 5 launch AC instruction and/or operands may further spedfy parameters for 
authenticating the AC module 190 such as specifying which authentication 
algorithms, hashing algorithms, decryption algorithms, and/or other algorithms are 
to be used. The launch AC instruction and/or operands may further specify 
parameters for the algorithms such as. for example, key length, key location. 

20 and/or keys. The launch AC instmction and/or operands may further specify 

parameters to configure the computer system 100 for AC module launch such as, 
for example, specifying events to be masked/unmasked and/or security 
capabilities to be updated. 
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[00451 The launch AC Instructions and/or operands may provide fewer, 
additional, and/or different parameters than those described above. Furthemiore. 
the launch AC instructions may comprise zero or more explicit operands and/or 
implicit operands. For example, the launch AC instruction may have operand 
5 values implicitly specified by processor registers and/or memory locations despite 
the launch AC instruction itself not comprising fields that define the location of 
these operands. Furthermore, the launch AC instruction may explicitly specify the 
operands via various techniques such as. for example. Immediate data, register 
identification, absolute addresses, and/or relative addresses. 
10 [004q The decoder 340 may also generate one or more ops that depend 
on the tenninate AC instructions and the zero or more operands associated with 
the terminate AC instructions. Each tenninate-AC instruction and its associated 
operands specify parameters for terminating execution of the AC module 190. 
For example, the tenninate AC Instoiction and/or operands may specify 
15 parameters about the AC module 190 such as AC module location and/or AC 
module length. The terminate AC instmctlon and/or operands may also specify 
parameters about the private memory 160 such as. for example, private memory 
location, private memory length, and/or private Implementation. The terminate 
AC Instruction and/or operands may specify parameters about launching post-AC 
20 code such as, for example, launching method and/or post-AC code execution 
point. The terminate AC instruction and/or operands may further specify 
parameters to configure the computer system 100 for post-AC code execution 
such as. for example, specifying events to be masked/unmasked and/or security 
capabilities to be updated. 
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[0047] The terminate AC instructions and/or operands may provide fewer, 
additional, and/or different parameters than those descril)ed above. Furthermore, 
the tenninate AC instructions may comprise zero or more explicit operands and/or 
implicit operands in a manner as described above in regard to the launch AC 
5 instructions. 

[0048] Refening now to FIG. 4, there is depicted a method 400 of • 
launching an AC module 190. in particular, the method 400 illustrates the 
operations of a processor 110 In response to executing an example ENTERAC 
instmction having an authenticate operand, a module operand, and a length 
1 0 operand. However, one sldlled in the art should be able implement other launch 
AC instructions having fewer, additional, and/or different operands without undue 
experimentation. 

[0049] In block 404, the processor 1 1 0 determines whether the 
environment is appropriate to start execution of an AC module 190. For example. 

15 the processor 110 may verify that its current privilege level, operating mode, 
and/or addressing mode are appropriate. Further, if the processor supports 
multiple hardware threads, the processor may verify that all other threads have 
halted. The processor 1 10 may further verify that the chipset 120 meets certain 
requirements. In an example embodiment of the ENTERAC instruction, the 

20 processor 1 1 0 detemiines that the environment is appropriate in response to 
determining that the processor 1 10 Is in a protected flat mode of operation, that 
the processor's current privilege level is 0, that the processor 1 10 has halted all 
other threads of execution, and that the chipset 120 provides taisted platfomn 
capabilities as Indicated by one or more registers 126. Other embodiments of 
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launch AC instructions may define appropriate environments differently. Other 
launch AC instructions and/or associated operands may specify environment 
requirements that result in the processor 110 verifying fewer, additional, and/or 

different parameters of its environment. 
5 [0050] In response to detennining that the environment is inappropriate for 

launching an AC module 190. the processor 110 may temiinate the ENTEIRAC 
instruction with an appropriate error code (block 408). Alternatively, the processor 
110 may further trap to some more trusted software layer to pemiit emulation of 

the ENTERAC instaicBon. 
10 10051] othenwise. the processor 110 m block 414 may update event 

processing to support launching the AC module 190. In an example embodiment 
of the ENTERAC instruction, the processor 110 masks processing of the INTR. 
NMI. SMI. INIT. and A20M events. Other launch AC instmctions and/or 
associated operands may specify masking fewer, additional, and/or different 
15 events. Further, other launch AC instructions and/or associated operands may , 

explicitly specify the events to be masked and the events to be unmasked. 
Alternatively, other embodiments may avoid masking events by causing the 
computing device 1 00 to execute trusted code such as. for example, event 
handlers of the AC module 190 in response to such events. 
20 [00521 The processor 1 10 in block 416 may lock the processor bus 130 to 
prevent the other processors 1 10 and the chipset 120 from acquiring ownership of 
the processor bus 130 during the launch and execution of the AC module 190. In 
an example embodiment of the ENTERAC instmction. the processor 110 obtains 
exclusive ownership of the processor bus 130 by generating a special transaction 
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that provides the other processors 110 and the chipset 120 with a 
LT. PROCESSOR. HOLD bus message. Other embodiments of launch AC 
instructions and/or associated operands may specily that the processor bus 130 
is to remain unlocked or may specify a different manner to lock the processor bus 
5 130. 

[0053] The processor 1 10 in block 420 may configure its private memory 
160 for receiving the AC module 190. The processor 110 may dear the contents 
of the private memory 160 and may configure control structures associated with 
the private memory 160 to enable the processor 110 to access the private 
10 memory 160. In an example embodiment of the ENTERAC instruction, the 

processor 110 updates one or more control registers to switch the cache memory 
1 12 to the cache-as-RAM mode and invalidates the contents of its cache memory 
112. 

[0054] Other launch AC instructions and/or associated operands may 
15 specify private memory parameters for different implementations of the private 
memory 160. (See. for example. FIGS. 1A-1E). Accordingly, the processor 110 
in executing these other launch AC instructions may perform different operations 
in order to prepare the private memory 160 for the AC module 190. For example, 
the processor 110 may enable/configure a memory controller (e.g. PM controller 
20 128 of FIG. IE) associated with the private memory 160. The processor 110 may 
also provide the private memory 160 with a clear, reset, and/or invalidate signal to 
clear the private memory 160. Alternatively, the processor 110 may write zeros or 
some other bit pattem to the private memory 160. remove power from the private 
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memory 160, and/or utilize some otiier mechanism to clear the private n^emory 
160 as specified by the launch AC instnjctlon and/or operands. 
[00551 In block 424. the processor 110 loads the AC module 190 into its 
private memory 160. In an example embodiment of the ENTERAC instruction. 

5 the processor 1 10 starts reading from a location of the memory 140 specified by 
the address operand until a number of bytes specified by the length operand are 
transferred to its cache memory 112. Other embodiments of launch AC 
instructions and/or associated operands may specify parameters for loading the 
AC module 190 into the private memory 160 in a different manner. For example. 

10 the other launch AC Instnjctions and/or associated operands may specify the 
location of the AC module 1 90. the location of the private memory 160. where the 
AC module 190 is to be loaded in the private memory 160. and/or the end of the 
AC module 190 in numerous different manners. 

[0056] In block 428. the processor 1 10 may further lock the private memory 
15 160. in an example embodiment of the ENTERAC instniction. the processor 1 10 
updates one or more control registers to lock its cache memory 1 1 2 to prevent 
external events such as snoop requests from processors or I/O devices from 
altering the stored lines of the AC module 190. However, other launch AC 
instructions and/or associated operands may specify other operations for the 
20 processor 110. For example, the processor 1 10 may configure a memory 

controller (e.g- PM controller 128 of FIG. 1E) associated v^th the private memory 
160 to prevent the other processors 110 and/or chipset 120 from accessing the 
private memory 160. In some embodiments, the private memory 160 may 
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already be sufficiently locked, thus the processor 1 10 may take no action in block 
428. 

[0057] The processor in block 432 determines whether the AC module 1 90 
stored in its private memory 160 is authentic based upon a protection mechanism 
5 specified by the protection operand of the ENTERAC Instruction. In an example 
embodiment oftheENTERACinstmction. the processor 110 retrieves a . 

processor key 116, chipset key 124. and/or platform key 162 specified by the 
protection operand. The processor 1 10 then RSA-decrypts the signature 240 of 
the AC module 190 using the retrieved key to obtain the digest value 242. The 

10 processor 110 further hashes the AC module 190 using a SHA-1 hash to obtain a 
computed.digest value. The processor 110 then determines that the AC module 
190 is authentic in response to the computed digest value and the digest value 
242 having an expected relationship (e.g. equal to one another). Otherwise, the 
processor 1 10 detenmines that the AC module 1 90 Is not authenticate. 

1 5 [0058] Other launch AC instructions and/or associated operands may 
specify different authentication parameters. For example, the other launch AC 
instructions and/or associated operands may specify a different authentication 
method, different decryption algorithms, and/or different hashing algorittims. The 
other launch AC instmctions and/or associated operands may further specify 

20 different key lengths, different key locations, and/or keys for authenticating the AC 
module 190. 

[0059] In response to detemiining ttiat tiie AC module 1 90 is not autiientic. 
the processor 110 in block 436 generates an enx)r code and tenninates execution 
of the launch AC insti^ction. Ottienwlse, the processor 110 In block 440 may 
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update security aspects of the computing device 100 to support execution of the 
ACmodule 190. In an example embodiment of the ENTERAC Instruction, the 
processor 1 1 0 in block 440 writes a OpenPrivate command to a command 
register 126 of the chipset 120 to enable the processor 110 to access registers 
5 126 via the private space 142 with normal unprivileged read and write 
transactions. 

[0060] Other launch AC Instructions and/or associated operands may 
specify other operations to configure the computing device 100 for AC module 
execution. For example, a launch AC instruction and/or associated operands 
10 may specify that the processor 110 leave the private space 142 in its current 
state. A launch AC instmction and/or associated operands may also specify that 
the processor 110 enable and/or disable access to certain computing resources 
such as protected memory regions, protected storage devices, protected 
partitions of storage devices, protected files of storage devices, etc. 
15 10061] After updating security aspects of the computing device 100, the 
processor 1 10 in block 444 may initiate execution of the AC module 190. In an 
example embodiment of tiie ENTERAC instruction, tiie processor 110 loads its 
instruction pointer register 316 with the physical address provided by tiie module 
operand resulting in the processor 110 jumping to and executing the AC module 
20 190 from the execution point 260 specified by tiie physical address. Otiier launch 
AC instructions and/or associated operands may specify ttie location of ttie 
execution point 260 in a number of altemative manners. For example, a launch 
AC Instiuction and/or associated operands may result in the processor 110 
obtaining the location of the execution point 260 from ttie AC module 190 itself. 
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[0062] Referring now to FIG, 5, there is depicted a method 500 of 
terminating an AC module 190. in particular, the method 500 illustrates the 
operations of a processor 1 10 in response to executing an example EXITAC 
instruction having a protection operand, an events operand, and a launch 
5 operand. However, one skilled in the art should be able to implement other 
tenninate AC instructions having fewer, additional, and/or different operands 
without undue experimentation. 

[0063] In block 504, the processor 1 10 may clear and/or reconfigure the 
private memory 160 to prevent furttier access to the AC module 190 stored in the 

10 private memory 160. In an example embodiment of the EXITAC instruction, the 
processor 110 invalidates Its cache memory 112 and updates control registers to 
switch the cache memory 1 12 to the nomial cache mode of operation. 
[0064] A terminate AC instruction and/or associated operand may specify 
private memory parameters for different implementations of the private memory 

15 160. (See. for example, FIGS. lA-IE). Accordingly, a terminate AC Instruction 
and/or associated operand may result in the processor 1 10 performing different 
operations in order to prepare the computing device 100 for post-AC code 
execution. For example, the processor 1 10 may disable a memory controller (e.g. 
PM controller 128 of FIG. 1 E) associated with the private memory 160 to prevent 
20 further access to the AC module 190. The processor 110 may also provide the 
private memory 160 with a clear, reset, and/or invalidate signal to clear the private 
memory 160. Alternatively, the processor 110 may write zeros or some other bit 
pattern to the private memory 160, remove power from the private memory 160, 
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and/or utilize some other mechanism to clear the private memory 160 as specified 
by a terminate AC instruction and/or associated operands: 
[0065] The processor 1 1 0 in bloci^ 506 may update security aspects of the 
computing device 100 based upon the protection operand to support post-AC 

5 code execution. In an example embodiment of the EXITAC Instruction, the 
protection operand specifies whether the processor 110 Is to close the private 
space 142 or leave the private space 142 In Its cun^nt state. In response to 
determining to leave the private space 142 in Its cun^ent state, the processor 1 10 
proceeds to block 510. Othenwse. the processor 1 10 closes the private space 

10 142 by writing a ClosePrivate command to a command register 126 to prevent the 
processors 1 10 from further accessing the registers 126 via normal unprivileged 
read and write transactions to the private space 142. 

[0066] A terminate AC instmction and/or associated operands of another 
embodiment may result in the processor 110 updating other security aspects of 

1 5 the computing device 1 00 to support execution of code after the AC module 190. 
For example, a terminate AC instruction and/or associated operands may specify 
that the processor 110 enable and/or disable access to certain computing 
resources such as protected memory regions, protected storage devices, 
protected partitions of storage devices, protected files of storage devices, etc. 

20 [00671 The processor 1 1 0 in block 51 0 may unlock the processor bus 1 30 
to enable other processors 1 10 and the chipset 120 to acquire ownership of the 
processor bus 130. In an example embodiment of the EXITAC instruction, the 
processor 110 releases exclusive ownership of the processor bus 130 by 
generating a special transaction that provides the oOier processors 1 10 and the 
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Chipset 120 with a LT.PROCESSOR.RELEASE bus message. Other 
embodiments of temfiinate AC instructions and/or associated operands may 
specify that tiie processor bus 130 is to remain locked or may specify a different 
manner to unlock the processor bus 130. 

5 [0068] The processor 1 1 0 in block 514 may update events processing 
based upon the mask operand. In example embodiment of the EXITAC ' 
instruction, the mask operand specifies whether the processor 1 10 is 1o enable 
events processing or leave events processing in its cunrent state. In response to 
determining to leave events processing in its cunrent state, the processor 110 

10 proceeds to block 516. Othenwise, the processor 110 unmasks the INTR, NMI, 
SMI, INIT, and A20M events to enable processing of such events. Other 
tenninate AC instmctions and/or associated operands may specify unmasking 
fewer, additional, and/or different events. Further, other tenninate AC instructions 
and/or associated operands may explicitly specify the events to be masked and 

15 the events to be unmasked. 

[0069] The processor 1 10 in block 516 tenninates execution of the AC 
module 190 and launches post-AC code specified by the launch operand. In an 
example embodiment of the EXITAC instruction, the processor 110 updates Hs 
code segment register and instruction pointer register with a code segment and 

20 segment offset specified by the launch operand. As a result, the processor 110 
jumps to and begins executing from an execution point of the post-AC code 
specified by the code segment and segment offeet 
[0070] Other temilnate AC modules and/or associated operands may 
specify the execution point of the post-AC code in a number of different manners. 
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For example, a launch AC instruction may result in the processor 110 saving the 
cun-ent instruction pointer to identify the execution point of post-AC code. In such 
an embodiment, the temriinate AC instruction may retrieve the execution point 
saved by the launch AC instruction and initiate execution of the post-AC code 
5 from the retrieved execution point In this manner, the tentiinate AC instruction 
returns execution to the instaictlon following the launch AC instruction. Further, in 
such an embodiment, the AC module 190 appears to have been called, like a 
function call or system call, by the Invoking code. 

[0071] Another embodiment of the computing device 100 is shown in FIG. 

10 6. The computing device 100 comprises processors 1 10, a memory interface 620 
that provides the processors 110 access to a memory space 640, and a media 
interface 170 that provides the processors 110 access to media 180. The 
memory space 640 comprises an address space that may span multiple machine 
readable media from which the processor 110 may execute code such as, for 

15 example, fimiware, system memory 140, private memory 160, hard disk storage, 
networic storage, etc (See, FIGS. 1A-1E). The memory space 640 comprises pre- 
AC code 642, an AC module 190, and post-AC code 646. The pre-AC code 642 
may comprise operating system code, system library code, shared library code, 
application code, firmware routines, BIOS routines, and/or other routines that may 

20 launch execution of an AC module 1 90. The post-AC code 646 may similariy 
comprise operating system code, system library code, shared library code, 
application code, fimnware routines. BIOS routines, and/or other routines that may 
be executed after the AC module 190. It should be appreciated that the pre-AC 
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code 642 and the post-AC code 646 may be the same software and/or fimiware 
module or different sofhware and/or firmware modules. 
[0072] An example embodiment of launching and terminating an AC 
module is illustrated in FIG. 7A. In block 704, the computing device 100 stores 

5 the AC module 1 90 into the memory space 640 In response to executing the pre- 
. AC code 642. In an example embodiment, the computing device 100 retrieves 
the AC module 190 from a machine readable medium 180 via the media interface 
170 and stores the AC module 190 In the memory space 640. For example, the 
computing device 100 may retrieve the AC module 190 from fimiware, a hard 

10 drive, system memory, networit storage, a file server, a web server, etc and may 
store the retrieved AC module 190 into a system memory 140 of the computing 
device 100. 

[0073] The computing device 100 in block 708 loads, authenticates, and 
initiates e)«cution of the AC module 190 in response to executing Vne pre-AC 

15 code 642. For example, the pre-AC code 642 may comprise an ENTERAC 
instmction or another launch AC instruction that results in the computing device 
100 transferring the AC module 190 to private memory 160 of the memory space 
640, authenticating the AC module 190, and invoking execution of the AC module 
190 from its execution point. Alternatively, the pre-AC code 642 may comprise a 

20 series of instaictions that result in the computing device 1 00 transferring the AC 
module 190 to private memory 160 of the memory space 640, authenticating the 
AC module 190, and invoking execution of the AC module 190 from its execution 
point. 
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[0074] In. block 71 2. the computing device 1 00 executes the code 21 0 of 
the AC module 1dO (See. FIG. 2). The computing device 1O0 in block 716 
terminates execution of the AC module 190 and initiates execution of the post-AC 
code 646 of the memory space 640. For examjjie. the AC module 1 90 may 
5 comprise an EXITAC instruction or another terminate AC Instruction that results In 
the computing device 100 temilnating execution of the AC module 190. updating 

security aspects of the computing device 100. and initiating execution of the post- 
AC code 646 from an execution point of the post-AC code 646. Alternatively, the 
AC module 1 90 may comprise a series of Instructions that result In the computing 
10 device 100 terminating execution of the AC module 190 and initiating execution of 
the post-AC code 646 from an execution point of the post-AC code 646. 
[00751 Another example embodiment of launching and temnlnating an AC 
module is illustrated in FIG. 7B. In block 740. tiie computing device 100 stores 
the AC module 190 Into the memory space 640 In response to executing the pre- 
15 AC code 642. In an example embodiment, the computing device 100 retrieves 
tiie AC module 190 from a machine readable medium 180 via ttie media interface 
170 and stores the AC module 190 In the memory space 640. For example, ttie 
computing device 100 may retrieve ttie AC module 190 from firmware, a hard 
drive, system memory, netvwrit storage, a file server, a web server, etc and stores 
20 the retrieved AC module 190 Into a system memory 140 of tiie computing device 
100. 

[0076] The computing device 100 in block 744 loads, authenticates, and 
initiates execution of ttie AC module 190 response to executing tiie pre-AC code 
642. The computing device in block 744 furttier saves an execution point for ttie 
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post-AC code 646 that is based upon the instruction pointer. For example, the 
pre-AC code 642 may comprise an ENTERAC instruction or another launch AC 
instruction that results in the computing device 100 transferring the AC module 
190 to private memory 160 of the memoiy space 640. authenticating the AC 

5 module 190. invoicing execution of the AC module 190 from its execution point, 
and saving the instmction pointer so that the processor 1 10 may return to the 
instruction following the launch AC instruction after executing the AC module 190. 
Alternatively, the pre-AC code 642 may comprise a series of instmctions that 
result in the computing device 100 transferring the AC module 190 to private 

10 memory 160 of the memory space 640. authenticating the AC module 190. 

invoking execution of the AC module 190 from Its execution point, and saving the 
instruction pointer. •" 

[00771 In block 748. the computing device 100 executes the code 210 of 
the AC module 190 (See. FIG. 2). The computing device 100 in block 752 
15 temiinates execution of the AC module 190. loads the instruction pointer based 
execution point saved in block 744. and initiates executior^ of the Instruction 
following the launch AC instmction or the series of instmctions executed in block 
744. For example, the AC module 190 may comprise an EXITAC Instmction or 
another temiinate AC instmction that results in the computing device 100 
20 temiinating execution of the AC module 190. updating security aspects of the 
computing device 100. and initiating execution of the post-AC code 646 from an 
execution point of the post-AC code 646 specified by tiie instmction pointer saved 
In block 744. Alternatively, the AC module 190 may comprise a series of 
instmctions tiiat result in ttie computing device 100 temiinating execution of the 
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AC module 190. updating security aspects of the computing device 100. and 
Initiating execution of the post-AC code 646 from an execution point of the post- 
AC code 646 specified by the instruction pointer saved in block 744. 
[0078] FIG. 8 illustrates various design representations or formats for 

5 simulation, emulation, and fabrication of a design using tiie disclosed techniques. 
Data representing a design may represent the design in a number of manners. 
First, as is useful in simulations, the hardware may be represented using a 
hardware description language or anottier functional description language which 
essentially provides a computerized model of how tiie designed hardware Is 

10 expected to perfomi. The hardware model 810 may be stored in a storage 
medium 800 such as a computer memory so that the model may be simulated 
using simulation software 820 tiiat applies a particular test suite 830 to tiie 
hardware model 810 to detemilne If it indeed functions as intended. In some 
embodiments, the simulation software is not recorded, captured, or contained in 

15 the medium. 

[0079] Additionally, a circuit level model with logic and/or transistor gates 
may be produced at some stages of tiie design process. This model may be 
similariy simulated, sometimes by dedicated hardware simulators that form the 
model using programmable logic. This type of simulation, taken a degree furtiier, 
20 may be an emulation technique. In any case, re-configurable hardware is another 
embodiment that may involve a machine readable medium storing a model 
employing the disclosed techniques. 

[0080] Furtiiemnore. most designs, at some stage, reach a level of data 
representing the physical placement of various devices in the hardware model. In 
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the case where conventional semiconductor fabrication techniques are used, the 
data representing the hardware model may be the data specifying the presence 
or absence of various features on different mask layers for masks used to 
produce the integrated circuit Again, this data representing the integrated circuit 

5 embodies the techniques disclosed In that the circuitry or togic in the data can be 
. simulated or fabricated to perfonn these techniques. 

[0081] In any representation of the design, the data may be stored in any 
fonn of a computer readable medium. An optical or electrical wave 860 
modulated or othenwise generated to transmit such infonnation, a memory 850, or 

10 a magnetic or optical storage 840 such as a disc may be the medium. The set of 
bits describing the design or the particular part of the design are an article that 
may be sold in and of itself or used by others for further design or fabrication. 
[00821 While certain exemplary embodiments have been described and 
shown in the accompanying drawings, it is to be understood that such 

15 embodiments are merely illustrative of and not restrictive on the broad invention, 
and that this invention not be limited to the specific constructions and 
arrangements shown and described, since various other modifications may occur 
to those ordinarily skilled in the art upon studying this disclosure. 
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What is claimed is: 

1. A method comprising 

transferring an authenticated code module to a private memory; and 
executing the authenticated code module stored in the private memory In 
5 response to determining thatthe authenticated code module stored in the private 
memory is authentic. 

2. The method of claim 1 further wherein transferring comprises transferring a 
number of bytes specified by an operand from a memory. 

10 

3. The method of claim 1 further compri^ng 

configuring a cache memory of the processor to operate like a random 
access memory, 

wherein transferring comprises storing the authenticated code module in 
15 the cache memory. 

4. The method of claim 3 further comprising invalidating the cache memory prior 
to storing the authenticated code module In the cache memory. 

20 5. The method of claim 3 further comprising locking the cache memory to prevent 
lines of authenticated code module from being replaced. 
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6. The method of claim 1 further comprising determining whether the 
authenticated code is authentic based upon a digital signature of the 
authenticated code module. 

5 7. The method of claim 1 further comprising 

obtaining a first value from the authenticated code module stored ih the 

private memory; 

computing a second value from the authenticated code module; and 
determining that the authenticated code module is authentic in response to 
10 the first value and the second value having a predetemiined relationship. 

8. The method of claim 1 further comprising 
retrieving a key, 

decrypting a digital signature of the authenticated code module with the 
1 5 key to obtain a first value, 

hashing the authenticated code module to obtain a second value; and 
executing the authenticated code module in response to the first value and 
the second value having a predetermined relationship. 

20 9. The method of claims wherein 

decrypting corfiprises using the key to RSA-decrypt the digital signature. 

and 

hashing comprises apply a SHA-1 hash to the authenticated code module 
to obtain the second value. 
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1 0. The method of dalm 8 further comprising retrieving the key from the 
processor. 

5 1 1 . The method of claim 8 further comprising retrieving the key from a chipset. 

12. The method of claim 8 furtiier comprising retrieving the key form a token. 

13. The method of claim 1 wherein transfening comprises receiving the 
1 0 authenticated code module firom a machine readable medium. 

14. A computing device, comprising 

a chipset; 

a memory coupled to the chipset; 
1 5 a machine readable medium interface to receive an authenticated code 

module from a machine readable medium; 

a private memory coupled to the chipset; and 

a processor to transfer the authenticated code module from the machine 
readable medium Interface to the private memory and to authenticate the 
20 authenticated code module stored in flie private memory. 

15. The computing device of claim 14. wherein Vne chipset comprises a memory 
controller coupled to the memory and a separate private memory controller 
coupled to the private memory. 
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16. The computing device of claim 14, wherein 

the chipset comprises a key. and 

the processor authenticates the authenticated code module stored in the 
5 private memory based upon the key of the chipset. 

17. The computing device of daim 14, wlierein 

the processor comprises a key and authenticates the authenticated code 
module stored in the private memory based upon the l<ey of the processor. 

10 

18. The computing device of claim 14, further comprising 

a token coupled to the chipset, the token comprising a key, wherein 
the processor authenticates the authenticated code module stored in the 
private memory based upon the key of the token. 

15 

19. A computing device, comprising 

a chipset 

a machine readable medium interface to receive an authenticated code 
module from a machine readable medium; and 
20 a processor coupled to the chipset via a processor bus, the processor to 

transfer the authenticated code module from the machine readable medium 
interface to a private memory of the processor and to authenticate the 
authenticated code module stored in the private memory. 
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20. The computing device of claim 19, wherein the private memory is coupled to 
the processor viia a dedicated bus. 

21. The computing device of claim 19. wherein the private memory is internal to 
5 the processor. 

22. The computing device of claim 19, wherein the private memory comprises 
internal cache memory of the processor. 

10 23. The computing device of claim 19, further comprises 

other processors coupled to the chipset via the processor bus, wherein 
the processor further locks the processor bus to prevent the other 
processors from altering the authenticated code module. 

15 24. A computing device, comprising 
a memory; 

a chipset comprising a memory control that defines a portion of the 

memory as private memory; 

a machine readable medium to receive an authenticated code module from 
20 a machine readable medium; and 

a processor to transfer the authenticated code module from the machine 
readable medium interface to the private memory and to authenticate the 
auttienticated code module stored in the private memory. 
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25. The computing device of claim 24, wherein the chipset comprises a memory 
controller coupled to the memory and a separate private memory controller 
coupled to the private memory. 

5 26, The computing device of claim 24. wherein 
the chipset comprises a key, and 

the processor authenticates the authenticated code module stored In the 
private memory based upon the key of the chipset 

27. The computing device of claim 24, wherein 
the processor comprises a key and authenticates the authenttoated code 

module stored in the private memory based upon the key of the processor. 

28. The computing device of daim 24, further comprising 
a token comprising a key, wherein 

the processor authenticates the authenticated code module stored in the 
private memory based upon the key of the token. 

29. A machine readable medium comprising one or more instructions that in 
20 response to being executed result in a computing device 

transferring an authenticated code module to a private memoiy associated 
with a processor; and 
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I 

executing the authenticated code module stored in the private memory In 
response to determining that the authenticated code modute stored In the private 
memory is authentic. 

5 30. The machine readable medium of claim 29. vwherein the one or more 
instructions in response to being executed result In the computing device 

deterniining whether the authenticated code is authentic based upon a 
digital signature of the authenticated code module. 

10 31 . The machine readable medium of claim 29. wherein the one or more 
Instructions in response to being executed result In the computing device 

obtaining a first value from the authenticated code module stored In the 
private memory. 

computing a second value from the authenticated code module; and 
1 5 detemiining that the authenticated code module is authentic in response to 

the first value and the second value having a predetemiined relationship. 

32. The machine readable medium of claim 29. wherein the one or more 
instructions In response to being executed result in the computing device 
20 retrieving an asymmetric key, 

decrypting a digital signature of the authenticated code module with the 

asymmetric key to obtain a first value; 

hashing the authenticated code module to obtain a second value; and 
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initiating execution of the autlienticated code module In response to the 
first value and the second value having a predetermined relationship. 



33. The machine readable medium of claim 29, wherein the one or more 

5 instructions comprises a launch instruction that In response to being executed 
results in the computing device 

retrieving an asymmetric key; 

decrypting a digital signature of the authenticated code module with the 
asymmetric key to obtain a first value; 
10 hashing the authenticated code module to obtain a second value; and 

Initiating execution of the authenticated code module in response to the 
first value and the second value having a predetemiined relationship. 

34. The machine readable medium of dalm 33. wherein the one or more 
1 5 instructions in response to being executed result in the computing device 

receiving the authenticated code module via a machine readable medium 
Interface. 
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